Should Internal Audit Report to the CFO?

Moody's recommends that the chief internal auditor report to the CEO and the audit committee, not the CFO.Sarah Johnson, CFO.com | USOctober 13, 2006

Can an internal auditor examine a company's books and controls with an objective eye if the person ultimately responsible for those books and controls is his or her boss? Increasingly, audit committees — whose job includes protecting the independence of internal auditors — are hearing that the answer to that question is no.

The majority of public companies' top internal auditors split their reporting duties between the audit committee and the CFO, with their strategy and functionality falling under the committee's purview and their administrative duties falling under the finance chief's. While having direct access to the CFO exposes the head auditor to a company's financial reporting process, it also can undermine that auditor's independence, according to Moody's Investors Service's recently released best practices for audit committees' oversight of internal auditors.

"It creates a potential conflict if the internal auditors report directly to the CFO," says Dave Richards, president of the Institute of Internal Auditors and a member of the city of Orlando's audit committee.

Moody's recommends that the audit chief's dual reporting relationship include the CEO, rather than the CFO, in order to empower the audit team and make it clear to the rest of the company that senior management considers the audit function a high priority.

This, of course, leaves audit executives still with the tough job of reporting to two bosses, one of whom reports to work only about six times a year during audit-committee meetings. Because of that, the audit-committee chairman should be readily available to the audit head by phone and at informal meetings, says Jim Key, principal partner of consultancy The Shenandoah Group and a member of two audit committees, including that of Coastal Banking Co. in South Carolina. The audit committee should be involved in the chief auditor's performance evaluations and salary negotiations, he adds. At the same time, auditors' compensation incentives should not be linked to corporate performance, says Moody's.

In recent years, as audit committees' prominence has risen and their importance emphasized by Sarbanes-Oxley regulations, "the heads of internal audit teams feel more accountability to audit committees than they ever have," says Mark Watson, Moody's senior vice president of corporate governance, who wrote the report. At the same time, because of Sarbox and pressures from investors wanting sound governance, companies are increasingly adding people to their audit teams, he adds.

The result has been audit-committee meetings that are more frequent, last longer, and are conducted more professionally, Moody's says. In addition, audit committees have gained more control over relationships with both external and internal auditors.

Audit committees also should strengthen their relationship with executives by having frequent, off-the-record meetings, says the Moody's report. That way, if a sensitive issue comes up, the executive involved can feel comfortable talking about it in a setting that has already been established.

Key, who once served as IBM's director of internal audit, also emphasizes the importance of audit committees having routine one-on-one meetings with the CFO and other executives. These informal "executive sessions" give the audit committees an inside look into management's concerns. "The executive sessions provide nuance that written reports can't always capture," says Key. Moody's recommends that these meetings take place at least every quarter.

Although Coastal Banking has these meetings, conducted around the same time as the regular audit-committee meetings, many companies do not, says Watson, because of scheduling conflicts, among other reasons.

The following are some additional highlights from Moody's best practices for audit committees, based on interviews with more than 400 audit-committee chairmen of large U.S. and Canadian companies, along with internal audit professionals.

• The auditing strategy should be timely and comprehensive, covering all auditable units. Moody's agrees with companies that categorize their auditable areas by level of risk (such as high, medium, low) to decide how often to conduct an audit (high-risk areas should be audited at least annually). At the same time, companies need to audit their low-risk areas at least once within a four-year period, Moody's recommends, to avoid any problems. For example, many companies figured their process of administering stock-options grants was a low-risk area, although it turned out not to be: in the past year, questionable grant dates of stock options have resulted in financial restatements and dozens of investigations by the Securities and Exchange Commission.

• The audit plan should be holistic and risk-based. The audit team needs to go beyond focusing solely on financial reporting risks, the main concern of external auditors, Moody's says. Audit committees should evaluate current and prospective risks, including reputational, operational, financial, legal, IT, and compliance risks. From executives, audit committees need an inventory of all risks, Key says, as they need to consider the risk areas no one is considering, such as how a health pandemic would affect a company.

• Audit committees should make sure audit reports are followed up on effectively and in a timely way. Moody's recommends that executives' pay be docked if they take too long to respond to an audit evaluation that is critical of their department.

• Companies should keep their internal audit function in-house. While acknowledging that using third-party audit professionals can have its benefits, such as ensuring the auditors' independence within the organization, Moody's believes doing so brings up too many corporate-governance issues: outsourced auditors do not have enough access to the audit committee, they have less stature within the company to do their job effectively, and their work may be cut back because of budget constraints since they are paid on an hourly basis, Moody's says.

In addition, outsourced auditors will likely miss connecting the dots between the many issues and risks that can pop up at a company, according to Richards. Internal auditors who actually work inside the company day-to-day are more aware of the inner-workings and see the interrelationships between processes and departments, therefore strengthening an organization's risk-management strategy, he says.

• Audit committees should agree on the audit function's role with regard to Sarbanes-Oxley's Section 404. Audit teams, warns Moody's, should not be so entrenched in 404 that they are not concentrating on their traditional duties, and they should not play a role in designing controls or becoming part of the control process.